Malicious PDF — malware analysis report

Static analysis result for SHA-256 5821923ffd988593…

MALICIOUS

PDF

53.7 KB Created: 2020-09-02 00:00:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 652e2185b051628c0866f1ac1add8b43 SHA-1: c9672e184b90226beba3e11e40a0bce9711f6380 SHA-256: 5821923ffd988593b32a233d9249a3ab45e28af7e104ea9063b899f43abe60be
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document contains a lure related to 'Adp payroll tax services soc 1 report' and embeds multiple external links. One of these links, 'https://ttraff.ru/wix?keyword=adp+payroll+tax+services+soc+1+report', is identified as a malicious redirector. The document's structure and embedded links suggest a phishing attempt to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=adp+payroll+tax+services+soc+1+report
    • https://static.usrfiles.com/ugd/e1c37d_87ec2b4003ff4787be833b0b9e41138c.pdf
    • https://static.usrfiles.com/ugd/a640e9_3e54474a31594abcb219a110f5a01182.pdf
    • https://static.usrfiles.com/ugd/6c98bc_ff3cf52bff6d4cd6a26ed9e571e612d2.pdf
    • https://static.usrfiles.com/ugd/b65acf_a84fa058ef7e48b4a5c9d72b3eed5008.pdf
    • https://static.usrfiles.com/ugd/69b86f_a60d1ed9b784417f8f7b290e45949912.pdf
    • https://static.usrfiles.com/ugd/b47706_4a6d414a20db493eaeaf6879295a56e3.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_5fabcc1d21ce444db69eafbcccd88867.pdf
    • https://static.usrfiles.com/ugd/b8c837_a054bf630dbb487b9970bd36e6cc5104.pdf
    • https://static.usrfiles.com/ugd/b8c837_90b894dfaf584e44b82e71d2bf24d862.pdf
    • https://cdn.shopify.com/s/files/1/0431/8268/6367/files/53696260777.pdf
    • https://cdn.shopify.com/s/files/1/0433/8774/8519/files/97908396556.pdf
    • https://cdn.shopify.com/s/files/1/0435/0181/3915/files/18446269492.pdf
    • https://cdn.shopify.com/s/files/1/0429/5848/7703/files/icao_annex_14_volume_2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000087c5.bin
47670af06c407a1492d339b17348a605486c680e8e5578482773e35f446733aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C5 5336 bytes
font_01_sfnt_off00009a10.bin
bc320ff0bc4d06e1ae15f9e48405298acacaeb3b5ec7574011f2954fdc2d2c88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A10 14396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.